This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Passwordless login with ssh


Corinna Vinschen wrote:

On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:

Sorry, I searched the list and did not get a definitive answer. What I'm trying to do is to secure things up a little bit around here. I would like to use ssh. But I also want to allow valid users to ssh <remove> <command> without being prompted for a password. I'm not sure this is doable.

Reading from openssh-3.7.1p2-1.README I see

Authentication to sshd is possible in one of two ways. You'll have to decide before starting sshd!

- If you want to authenticate via RSA and you want to login to that machine to exactly one user account you can do so by running sshd under that user account. You must change /etc/sshd_config to contain the following:

RSAAuthentication yes

Moreover it's possible to use rhosts and/or rhosts with RSA authentication by setting the following in sshd_config:

RhostsAuthentication yes
RhostsRSAAuthentication yes

Seems to me that the above says I can only use RSA Authentication IFF I'm only want to allow one username to be able to login. Or

You missed the part under "Important change since 2.9p2":


"Since Cygwin is able to switch user context without password beginning with version 1.3.2, OpenSSH now allows to do so when it's running under a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to allow that feature."

No I saw that part too however it just seemed more confusing to me.


This is a bit too brief, I admit. Actually, the account who may switch user context without password needs "create a token object" privilege. This is by default only the SYSTEM user. So, running sshd under SYSTEM account gives you what you want.

I currently have sshd running correctly as a service. I can log in as any user however right now I need to specify my password:


$ ssh starbase id
Andrew@starbase's password:
uid=1003(Andrew) gid=513(DeFaria) groups=513(DeFaria),544(Administrators),545(Users)


Now from what I see I need to run ssh-user-config to generate the neccessary keys for passwordless login:

$ ssh-user-config
/home/Andrew DeFaria
/home/Andrew DeFaria is set in /etc/passwd as your home directory
but it is not a valid directory. Cannot create user identity files.

Ugh! Seems ssh-user-config doesn't support directories with spaces in them! (Would it be hard/impossible to support this?) Let me demonstrate my problem at work where I have a home directory without a space.

$ ssh adefaria id
adefaria@adefaria's password:
uid=1370(adefaria) gid=513(Domain Users) groups=1834(clearcase),512(Domain Admins),513(Domain Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)


Same situation. I can use ssh for any user but I must enter a password. Now for ssh-user-config:

$ ssh-user-config
Shall I create an SSH1 RSA identity file for you? (yes/no) yes
Generating /us/adefaria/.ssh/identity
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Shall I create an SSH2 RSA identity file for you? (yes/no)  (yes/no) yes
Generating /us/adefaria/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Shall I create an SSH2 DSA identity file for you? (yes/no)  (yes/no) yes
Generating /us/adefaria/.ssh/id_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys

Configuration finished. Have fun!

$ ssh adefaria id
adefaria@adefaria's password:
uid=1370(adefaria) gid=513(Domain Users) groups=1834(clearcase),512(Domain Admins),513(Domain Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)


As you can see ssh-user-config did not change the need to enter my password for ssh.

Except on 2003 Server. There you'll have to create a new account (say "sshd_srv", *not* "sshd") which is part of the admins group and has the appropriate extra privileges

"Create a token object"
"Replace process level token"
"Increase quotas"
"Logon as a service"

The system account does of course own that user rights by default.

Unfortunately, if you choose that way, you can only logon with NT password authentification and you should change /etc/sshd_config to contain the following:

Yeah, should be rewritten.


RhostsAuthentication no

Ugh. Rhosts authentication is dropped entirerly since 3.7p1.


Corinna



-- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]